# John ## Identifying Hashes * * * ## Online Hash Crackers * * ## Format-Specific Cracking Once you have identified the hash that you're dealing with, you can tell john to use it while cracking the provided hash using the following syntax: ``` john --format=[format] --wordlist=[path to wordlist] [path to file] ``` * This is the flag to tell John that you're giving it a hash of a specific format, and to use the following format to crack it * `--format=` ### Example Usage: ``` john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt ``` * A Note on Formats: * When you are telling john to use formats, if you're dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it withraw- to tell john you're just dealing with a standard hash type, though this doesn't always apply. * To check if you need to add the prefix or not, you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like ``` john --list=formats | grep -iF "md5". ``` ## Cracking Windows Hashes ### NTHash and NTLM * NThash is the hash format that modern Windows Operating System machines will store user and service passwords in. * It's also commonly referred to as "NTLM" which references the previous version of Windows format for hashing passwords known as "LM", thus "NT/LM". -You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine. * By using a tool like Mimikatz or from the Active Directory database: NTDS.dit. * You may not have to crack the hash to continue privilege escalation- as you can often conduct a "pass the hash" attack instead, but sometimes hash cracking is a viable option if there is a weak password policy. ## Cracking Hashes on Linux ### Unshadowing * John can be very particular about the formats it needs data in to be able to work with it, for this reason- in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows: ``` unshadow [path to passwd] [path to shadow] ``` * `unshadow` - Invokes the unshadow tool * `[path to passwd]` - The file that contains the copy of the /etc/passwd file you've taken from the target machine * `[path to shadow]` - The file that contains the copy of the /etc/shadow file you've taken from the target machine ### Example Usage: ``` unshadow local_passwd local_shadow > unshadowed.txt ``` #### Note on the files * When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example: * FILE 1 - local\_passwd * Contains the /etc/passwd line for the root user: ``` root:x:0:0::/root:/bin/bash ``` * FILE 2 - local\_shadow * Contains the /etc/shadow line for the root user: ``` root:$6$2nwjN454g.dv4HN/$m9Z/r2xVfweYVkrr.v5Ft8Ws3/YYksfNwq96UL1FX0OJjY1L6l.DS3KEVsZ9rOVLB/ldTeEL/OIhJZ4GMFMGA0:18576:::::: ``` ### Cracking * We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John. * We should not need to specify a mode here as we have made the input specifically for John. * However in some cases you will need to specify the format as we have done previously using: `--format=sha512crypt`. ``` john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt ``` ## Cracking Zip Password Protected File ### Zip2John * Similarly to the unshadow tool that we used previously, we're going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand * The basic usage is like this: ``` zip2john [options] [zip file] > [output file] ``` * `[options]` - Allows you to pass specific checksum options to zip2john, this shouldn't often be necessary * `[zip file]` - The path to the zip file you wish to get the hash of * `>` - This is the output director, we're using this to send the output from this file to the... * `[output file]` - This is the file that will store the output from #### Example Usage ``` zip2john zipfile.zip > zip_hash.txt ``` #### Cracking * We're then able to take the file we output from zip2john in our example use case called "zip\_hash.txt" and, as we did with unshadow, feed it directly into John as we have made the input specifically for it. ``` john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt ``` ## Cracking a Password Protected RAR Archive ### Rar2John * Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. * The basic syntax is as follows: ``` rar2john [rar file] > [output file] ``` * `rar2john` - Invokes the rar2john tool * `[rar file]` - The path to the rar file you wish to get the hash of * `>` - This is the output director, we're using this to send the output from this file to the... * `[output file]` - This is the file that will store the output from #### Example Usage ``` rar2john rarfile.rar > rar_hash.txt ``` #### Cracking * Once again, we're then able to take the file we output from rar2john in our example use case called "rar\_hash.txt" and, as we did with zip2john we can feed it directly into John.. ``` john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt ``` ## Cracking SSH Keys ### SSH2John * As the name suggests ssh2john converts the id\_rsa private key that you use to login to the SSH session into hash format that john can work with. * Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the `/opt/john/ssh2john.py`. * If you're doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py. ``` ssh2john [id_rsa private key file] > [output file] ``` * `ssh2john` - Invokes the ssh2john tool * `[id_rsa private key file]` - The path to the id\_rsa file you wish to get the hash of * `>` - This is the output director, we're using this to send the output from this file to the... * `[output file]` - This is the file that will store the output from #### Example Usage ``` ssh2john id_rsa > id_rsa_hash.txt ``` #### Cracking * For the final time, we're feeding the file we output from ssh2john, which in our example use case is called "id\_rsa\_hash.txt" and, as we did with rar2john we can use this seamlessly with John: ``` john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt ``` ## Cracking Ansible Vault Keep the vault blob in its original format. `ansible2john` expects the `$ANSIBLE_VAULT` header and ciphertext lines exactly as Ansible writes them. ``` $ANSIBLE_VAULT;1.1;AES256 HEX_LINE_1 HEX_LINE_2 HEX_LINE_3 HEX_LINE_4 HEX_LINE_5 ``` If the vault content came from a Windows host or a copied YAML block, normalize it before cracking: ```bash cat -A vault.yml dos2unix vault.yml ``` For YAML files containing multiple vaulted variables, extract one vault blob per file: ```bash # username.raw and password.raw each start with $ANSIBLE_VAULT;... ansible2john password.raw > password.hash john --wordlist=/usr/share/wordlists/rockyou.txt password.hash john password.hash --show ``` After cracking the vault password, decrypt variables with Ansible: ```bash echo 'VAULT_PASSWORD' > vault.pass ansible localhost \ -m ansible.builtin.debug \ -a var=ansible_password \ -e @vault.yml \ --vault-password-file vault.pass ansible localhost \ -m ansible.builtin.debug \ -a var=ansible_username \ -e @vault.yml \ --vault-password-file vault.pass ``` If decryption fails after a successful crack, check for trailing spaces, missing indentation under `!vault |`, and Windows CRLF characters. ## PGP Keys * Have a file `tryhackme.adc` (the PGP Private Key block) and `credential.pgp` (the encrypted file) * Use `gpg2john` output the PGP key to a hash format ``` gpg2john tryhackme.asc > hash ``` * Should look like this: ``` tryhackme:$gpg$*17*54*3072*713ee3f57cc950f8f89155679abe2476c62bbd286ded0e049f886d32d2b9eb06f482e9770c710abc2903f1ed70af6fcc22f5608760be*3*254*2*9*16*0c99d5dae8216f2155ba2abfcc71f818*65536*c8f277d2faf97480:::tryhackme ::tryhackme.asc ``` * Crack the hash ``` john --wordlist=/usr/share/wordlists/rockyou.txt hash john --format=gpg --wordlist=/usr/share/wordlists/rockyou.txt hash ``` * Should end up with the file contents ``` tryhackme:alexandru:::tryhackme ::tryhackme.asc ``` * Now need to use gpg to import the key back on the target box ``` gpg --import tryhackme.asc gpg --decrypt credential.pgp ``` ### GPG Errors ``` gpg: decryption failed: No secret key ``` * Errors populates despite it being the correct key -> Memory daemon needs restarting ``` ps aux | grep gpg-agent kill -14 pid# ``` ## Rule Based Attacks * Also known as hybrid attacks. * Assumes attacker knows something about the password policy. * John config file: ``` /etc/john/john.conf OR /opt/john/john.conf ``` * Look for `List.Rules` to see the available rules. * Example: ``` cat /etc/john/john.conf|grep "List.Rules:" | cut -d"." -f3 | cut -d":" -f2 | cut -d"]" -f1 | awk NF JumboSingle o1 o2 i1 i2 o1 i1 o2 i2 best64 d3ad0ne dive InsidePro T0XlC rockyou-30000 specific ``` * `best64` rule contains the best 64 built in `John` Rules. * To use: ``` echo "tryhackme" > single-password-list.txt john --wordlist=/tmp/single-password-list.txt --rules=best64 --stdout | wc -l Using default input encoding: UTF-8 Press 'q' or Ctrl-C to abort, almost any other key for status 76p 0:00:00:00 100.00% (2021-10-11 13:42) 1266p/s pordpo 76 ``` * \--wordlist= to specify the wordlist or dictionary file. * \--rules to specify which rule or rules to use. * \--stdout to print the output to the terminal. * |wc -l to count how many lines John produced. * By running the previous command we have expanded our password list from 1 (tryhackme) to 76. #### Another Good Rule to use: ``` john --wordlist=single-password-list.txt --rules=KoreLogic --stdout |grep "Tryh@ckm3" Using default input encoding: UTF-8 Press 'q' or Ctrl-C to abort, almost any other key for status Tryh@ckm3 7089833p 0:00:00:02 100.00% (2021-10-11 13:56) 3016Kp/s tryhackme999999 ``` ### Creating Custom Rules * we want to add special characters to the beginning and a number to the end, the format would be: ``` [symbols]word[0-9] ``` * We can add our rule to the end of john.conf: ``` user@machine$ sudo vi /etc/john/john.conf [List.Rules:THM-Password-Attacks] Az"[0-9]" ^[!@#$] ``` \[List.Rules:THM-Password-Attacks] specify the rule name THM-Password-Attacks. * `Az` represents a single word from the original wordlist/dictionary using `-p`. * `"[0-9]"` append a single digit (from 0 to 9) to the end of the word. For two digits, we can add `"[0-9][0-9]"` and so on. * `^[!@#$]` add a special character at the beginning of each word. `^` means the beginning of the line/word. Note, changing `^` to `$` will append the special characters to the end of the line/word. ### Note * All credit goes to the creator(s) of the John the Ripper Tool on THM. * [www.tryhackme.com/room/johntheripper0](http://www.tryhackme.com/room/johntheripper0) *** ## hashID for John Format ```bash hashid -j 193069ceb0461e1d40d216e32c79c704 ``` *** ## Single Crack Mode ```bash john --single passwd ``` *** ## Incremental Mode ```bash john --incremental ``` ### View Incremental Modes in Config ```bash grep '# Incremental modes' -A 100 /etc/john/john.conf ``` *** ## 2john Conversion Tools * Use `locate *2john*` to find all available converters | Tool | Use | | ----------------- | ----------------------- | | `ssh2john.py` | SSH private keys | | `office2john.py` | MS Office documents | | `pdf2john.py` | PDF files | | `zip2john` | ZIP archives | | `rar2john` | RAR archives | | `7z2john.pl` | 7z archives | | `bitlocker2john` | BitLocker volumes | | `keepass2john` | KeePass databases | | `putty2john` | PuTTY keys | | `pfx2john` | PFX/PKCS12 certificates | | `ansible2john` | Ansible Vault blobs | | `gpg2john` | GPG keys | | `wpa2john` | WPA handshakes | | `vncpcap2john` | VNC pcap files | | `mscash2john` | MS Cache hashes | | `DPAPImk2john.py` | DPAPI master keys | *** ## Cracking Office Documents ```bash office2john.py Protected.docx > protected-docx.hash john --wordlist=rockyou.txt protected-docx.hash john protected-docx.hash --show ``` *** ## Cracking PDFs ```bash pdf2john.py PDF.pdf > pdf.hash john --wordlist=rockyou.txt pdf.hash john pdf.hash --show ``` Example with an infrastructure note or other protected PDF: ```bash pdf2john.py Infrastructure.pdf > infrastructure.hash john --wordlist=/usr/share/wordlists/rockyou.txt infrastructure.hash john infrastructure.hash --show ``` *** ## Cracking OpenSSL-Encrypted Archives ```bash file GZIP.gzip for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done ``` *** ## Hunting for Encrypted Files ```bash for ext in $(echo ".xls .xls* .xltx .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done ``` *** ## Hunting for SSH Keys ```bash grep -rnE '^\-{5}BEGIN [A-Z0-9]+ PRIVATE KEY\-{5}$' /* 2>/dev/null ``` *** ## Check if SSH Key is Encrypted ```bash ssh-keygen -yf ~/.ssh/id_ed25519 ssh-keygen -yf ~/.ssh/id_rsa ``` *** ## Mounting BitLocker in Linux ```bash sudo apt-get install dislocker sudo mkdir -p /media/bitlocker /media/bitlockermount sudo losetup -f -P Backup.vhd sudo dislocker /dev/loop0p2 -u1234qwer -- /media/bitlocker sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/tool-guides/john-the-ripper.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.